0

I installed mod_security on 2 CentOS 7-servers. Bot got this config:

SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIFHZ
SecAuditLogType Concurrent
SecAuditLog /var/log/modsec_audit.log
SecAuditLogStorageDir /var/log/modsecurity/audit
SecAuditLogDirMode "default"
SecAuditLogFileMode "default"

But on server a the logs look like this:

example.com 134.249.53.xx - - [10/Aug/2016:22:07:26 +0200] "POST /wp-login.php HTTP/1.0" 200 1598 "-" "-" V6uJflxhoyWp4zhOzImhlAAAAQ4 "-" /20160810/20160810-2207/20160810-220726-V6uJflxhoyWp4zhOzImhlAAAAQ4 0 1546 md5:ea867817aed5ba17597f6e71b96920b9

And on server b the logs look like this:

[modsecurity] [client 37.115.191.xx] [domain example.org] [403] [/apache/20160810/20160810-1923/20160810-192353-V6tjKYO6c3SIxYXHutIdrwAAAFY]  [file "/etc/httpd/conf/modsecurity.d/rules/comodo/09_Bruteforce_Bruteforce.conf"] [line "58"] [id "230011"] [rev "2"] [msg "COMODO WAF: Multiple Username Violation: Too Many Usernames Submitted for Authentication.||side-by-side-kuehlschrank.eu|F"] [data "Current Username: sergej"] Access denied with code 403 (phase 2). Operator GT matched 5 at IP:multiple_username_count.

I do not quite get, why server B writes [modsecurity] and all other informations this way.

Any ideas?

MyFault
  • 893
  • 3
  • 14
  • 35

1 Answers1

1

The first looks like access log and second looks like error log. Are you sure you're looking at the same thing on both servers?

Additionally what version of ModSecurity are you running on each? The latest version 2.9.1 changed to using the Apache logging as defined by ErrorLogFormat so if you have that set for one server but not the other then that might also explain it.

Barry Pollard
  • 4,461
  • 14
  • 26